ADR-017: Revert decision to mandate that repository access must be via a Team
Status
✅ Accepted
Context
In May 2022, we decided to mandate that all access to GitHub Repositories must be via a Github Team. Direct repository access would no longer be allowed. The Operations Engineering Team created automation to identify users with direct access to a repository and add them to a Team, thus ensuring they adhered to this access standard.
The proposed benefits of this standard were as follows:
- Better alignment with organisational best practices
- Improve repository access management
- Better self-service by Team Maintainers to manage repository access
- Aid future automation that focuses on GitHub Teams
Problems
Access via Teams is not a best practice in MoJ. - It’s not in the Technical Standards. It is used by some platform teams to set RBAC permissions. It was assumed that this is a best practice when that is simply not the case. That approach could actually be considered technical debt due to a lack of a single IDP.
Made access management less controlled - It hasn’t made anything more secure or easier to manage. Teams still don’t know who has access to their repositories. Service Teams are responsible for managing access to the code that they own as documented in the Technical Standards. By introducing bot-created Teams Operations Engineering has inadvertently taken that responsibly away. It is inappropriate for Operations Engineering to decide who can access someone else’s code arbitrarily.
It has not increased self-service - If anything, it has reduced self-service with more users needing to request Operations Engineering to manage their access.
Standardisation has enabled more automation - It has actually added more complexity, making it harder to apply automation.
Perpetuated a flat organisation - The creation of default teams has led to an even flatter organisation, making it impossible to create any meaningful view of the MoJ Organisation.
Created problems with authentication to platforms - The growth in automatically created Teams has resulted in users having permission problems with access to tools and data. Each time a user is added to a new Team, their profile grows. The variable that contains that information has a fixed length, and eventually, new Teams that are added are not included in that variable, and therefore, permissions are missed/ignored.
Decision
Revert the decision to mandate that repository access must be via a Team. Remove automation that enforces this standard.
Consequences
- Repository permissions can now be managed via a Team or direct access.
- Users will be solely responsible for managing access to their own repositories.
- At some stage, there may be a need to clean up Teams created by the automation.